2022 Attack Surface Intelligence Product Recap

As 2022 draws to a close, we are wrapping up a successful year here at the Recorded Future Attack Surface Intelligence team.

Our mission is to shine a light on attack surface blind spots by providing an outside-in view of an organization while empowering security teams to prioritize and mitigate risk across their external infrastructure.

Keeping in mind the multiple geopolitical emerging threats, now, more than ever, having relevant attack surface information delivered at your fingertips is critical in keeping your organization secure.

That’s why we’ve focused on delivering new features and updates throughout the year. So, without further ado, let's review the most impactful ways we’ve enhanced Attack Surface Intelligence during 2022.

Risk Rules Introduction

Risk Rules take your risk and vulnerability prioritization to the next level, so any organization can quickly identify the biggest weaknesses within their attack surface, in mere seconds. This feature includes:

Issues: This option lets you find which exact CVEs and critical misconfigurations are affecting your hosts, along with a general description of the issue.

Hosts: This tab will allow you to visualize a severity table ordered by High, Moderate, and Informational scores. This is especially useful when looking at your entire digital inventory, and knowing which assets are impacted by High or Moderate risks.

Activity Heatmap and Detailed Application View

This release included:

The Activity Heatmap was added to SurfaceBrowser™, initially at /app/sb/domain/[domain]/activity (now available from the Attack Surface Intelligence main menu) to allow users to view all newly observed assets created by day for a given domain while providing a chronological representation of your organization's surface area.

Detailed Application View: A new feature of the Attack Surface Intelligence Explorer Screenshots page, this change brings up a window that provides even more detailed information on a given application: screenshots and detected technologies.

Download Issues, Technical References & More

In this release, we covered the following features:

Download Issues: This new option lets you export the entire list of risks in CSV format for offline processing.

Technical References: Reference links have been added to some of the most popular risks, including links from different sources, like ExploitDB, NIST, our own Recorded Future, and others.

Screenshots and Technologies: On the Risk Rules 'Hosts' tab, for any particular host listed there, you'll find additional screenshots of public vulnerabilities, along with their technologies and open ports.

XSOAR Integration

The use of security orchestration, automation, and response (SOAR) platforms has become an essential industry practice in recent years, with market leaders like Cortex XSOAR leading the way in its implementation. So this year, we took yet another pivotal step by integrating our Attack Surface Intelligence platform with XSOAR to enrich and contextualize infrastructure risks on the road to improving incident management.

This integration with Cortex XSOAR works by linking your current Attack Surface Intelligence project within the Cortex XSOAR interface. Analyzing any results takes a few short steps, with features such as an incident overview dashboard going back a given number of days, an event filter according to severity level, or a timeline and similar investigative attributes enabling security teams to gain proper insight into every incident.

Risk Rules API and the Tines Integration

The Risk Rules API allows users to extract immediate data from CVEs, including vulnerability name, description, risk severity (classification), affected hostnames, technical references from the Internet, and project metadata such as ID, title, and snapshot creation date.

Tines Integration

In addition to that, the Tines integration makes use of all the information available from the Risk Rules API, so you can collect individual risk rules across the Attack Surface Intelligence platform. This will assist your team not only in accessing risk rules data enriched with vulnerability data from Recorded Future, but also in sending quick notifications via Slack to your security team, so they can prioritize and resolve risks accordingly via Jira and ServiceNow tickets.

Exposed Admin Panels

This was another handy release for Attack Surface Intelligence, covering:

Admin Panels, located within the Inventory tab, will help you view administrator panels from popular technologies and software which may be out of compliance adding unnecessary risk to your organization. The Admin Panel feature works on deep paths and IPs without hostnames, includes firewalls, enterprise software, developer tools, and CMSs, and also adds new signatures frequently and automatically.

Risk History by Host

The Risk History by Host feature is the perfect tool for keeping historical track of your current vulnerabilities and misconfigurations. By listing them, you’ll know when they appeared for the very first time and, most importantly, when they were cleared (fixed/patched) and no longer showing on the Risk Rules report as a result.

The Risk History by Host feature is the perfect tool for keeping historical track of your current vulnerabilities and misconfigurations. By listing them, you’ll know when they appeared for the very first time and, most importantly, when they were cleared (fixed/patched) and no longer showing on the Risk Rules report as a result.

Project Risk History tab, Screenshots, and UX Improvements

Project Risk History tab: this feature allows you to track the history of what's been added and cleared for a particular project. If you see 'Cleared', that means the risk wasn't found by our most recent scan, so we can presume that it has been patched or fixed.

Screenshots: If screenshots are available for the reported risk, we'll share them with you: a link will let you visualize what the risk looked like at the time of our initial scan.

We've renamed the old 'Filters' button as 'Mutes' and moved it to the upper right as a hamburger-style button. You can still mute by issue or by host, which is especially helpful when you want to reduce noise across hosts with many reported risks.

Rule Reasons, ‘End-of-Life Software’ Risk Rule, and Static Asset Improvements

This release included:

Rules Reasons give users insight into why we’re showing a particular asset as part of their asset list. It will show in the popup modal for a specific IP or hostname, and you’ll also see a (?) bubble next to each domain indicating why it’s been included as part of your project.

End-of-Life Software Detection: The Internet is plagued by EOL software, but what’s worse, is that numerous organizations aren’t up-to-date with this reality. Our new rule can let your security team know whenever your organization is running software that is nearing end-of-life or limiting its support, as a valuable notification to start thinking about upgrades to newer versions.

Static Asset Improvements: We’ve added a few improvements to how we handle static assets inside the Attack Surface Intelligence platform, including Bulk delete, Asset counts, Delete confirmations, Asset added dates and Improved readability.

As we head into a new year, our product and engineering teams are already working on multiple new features for Attack Surface Intelligence to be fully aligned with customer needs. If you have a feature request for next year, feel free to share your thoughts at [email protected]

Stay tuned to see the exciting improvements we'll be bringing out in 2023!